[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: my iptables setting not loaded after reboot in fc5



On Thu, May 18, 2006 at 15:44:11 -0500,
  Hongwei Li <hongwei wustl edu> wrote:
> > Create by hand an script to load your rules (many of us do that).
> -- Do you have a sample to let me see? Thanks!

I do a varient of this. I keep a script of iptables rules I use to set things
up, but then i use 'service iptables save' so I can use the normal service.

Here is a sample rules file:

#!/bin/sh

# Protect network with packet filter rules

CERBERUS=129.89.124.28
OTHER1=129.89.124.82
OTHER2=129.89.124.144

# Quickly block traffic no matter what the current rules
/sbin/iptables -I INPUT -j DROP
/sbin/iptables -I FORWARD -j DROP
/sbin/iptables -I OUTPUT -j DROP

# Set policy to drop all packets
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

# Get rid of all rules and chains so that policy controls apply
/sbin/iptables -F
/sbin/iptables -X

# Keep things blocked while building new rule set
/sbin/iptables -I INPUT -j DROP
/sbin/iptables -I FORWARD -j DROP
/sbin/iptables -I OUTPUT -j DROP

# Real rules get defined here

# Log and drop
/sbin/iptables -N ERROR
/sbin/iptables -A ERROR  -m limit -j LOG
/sbin/iptables -A ERROR -j DROP

# Chain to check PRIVATE addresses aren't being used
/sbin/iptables -N PRIVATE
/sbin/iptables -A PRIVATE -d 0.0.0.0/8 -j ERROR
/sbin/iptables -A PRIVATE -d 127.0.0.0/8 -j ERROR
/sbin/iptables -A PRIVATE -d 172.16.0.0/12 -j ERROR
/sbin/iptables -A PRIVATE -d 192.168.0.0/16 -j ERROR
/sbin/iptables -A PRIVATE -d 169.254.0.0/16 -j DROP
/sbin/iptables -A PRIVATE -p igmp -d 224.0.0.1 -j DROP
/sbin/iptables -A PRIVATE -d 224.0.0.0/4 -j DROP
/sbin/iptables -A PRIVATE -d 10.0.0.0/8 -j ERROR
/sbin/iptables -A PRIVATE -s 0.0.0.0/8 -j ERROR
/sbin/iptables -A PRIVATE -s 127.0.0.0/8 -j ERROR
/sbin/iptables -A PRIVATE -s 172.16.0.0/12 -j ERROR
/sbin/iptables -A PRIVATE -s 192.168.0.0/16 -j ERROR
/sbin/iptables -A PRIVATE -s 169.254.0.0/16 -j DROP
/sbin/iptables -A PRIVATE -s 224.0.0.0/4 -j ERROR
/sbin/iptables -A PRIVATE -s 10.0.0.0/8 -j ERROR

# Supported services
/sbin/iptables -N SERVICES
/sbin/iptables -A SERVICES -p icmp --icmp-type redirect -m limit -j LOG
/sbin/iptables -A SERVICES -p icmp --icmp-type redirect -j DROP
/sbin/iptables -A SERVICES -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A SERVICES -p udp --dport 53 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp -s 129.89.0.0/16 --dport 80 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp -s 127.0.0.0/8 --dport 80 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp -s 129.89.0.0/16 --dport 443 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp -s 127.0.0.0/8 --dport 443 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A SERVICES -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A SERVICES -m limit -j LOG
/sbin/iptables -A SERVICES -p tcp --dport 113 -j REJECT --reject-with tcp-reset
/sbin/iptables -A SERVICES -j DROP

# For interfaces not allowed to access services
/sbin/iptables -N NOSERVICES
/sbin/iptables -A NOSERVICES -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A NOSERVICES -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A NOSERVICES -m limit -j LOG
/sbin/iptables -A NOSERVICES -p tcp --dport 113 -j REJECT --reject-with tcp-reset
/sbin/iptables -A NOSERVICES -j DROP

# Only allow expected outbound protocols
/sbin/iptables -N OUTBOUND
/sbin/iptables -A OUTBOUND -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTBOUND -p tcp -j ACCEPT
/sbin/iptables -A OUTBOUND -p udp -j ACCEPT
/sbin/iptables -A OUTBOUND -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A OUTBOUND -m limit -j LOG
/sbin/iptables -A OUTBOUND -j DROP

# LO
/sbin/iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
/sbin/iptables -A INPUT -i lo -s $CERBERUS -d $CERBERUS -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -s $CERBERUS -d $CERBERUS -j ACCEPT

# ETH4
/sbin/iptables -N ETH4IN
/sbin/iptables -A ETH4IN -s $CERBERUS -j ERROR
/sbin/iptables -A ETH4IN -d 192.168.0.255 -j DROP
/sbin/iptables -A ETH4IN ! -d $CERBERUS -j ERROR
/sbin/iptables -A ETH4IN -j SERVICES
/sbin/iptables -A INPUT -i eth4 -j ETH4IN

/sbin/iptables -N ETH4OUT
/sbin/iptables -A ETH4OUT -d $CERBERUS -j ERROR
/sbin/iptables -A ETH4OUT ! -s $CERBERUS -j ERROR
/sbin/iptables -A ETH4OUT -j OUTBOUND
/sbin/iptables -A OUTPUT -o eth4 -j ETH4OUT

# Log any packets dropped for not being in a previous category
/sbin/iptables -A INPUT -m limit -j LOG
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A FORWARD -m limit -j LOG
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -A OUTPUT -m limit -j LOG
/sbin/iptables -A OUTPUT -j DROP

# Turn network on
/sbin/iptables -D INPUT 1
/sbin/iptables -D FORWARD 1
/sbin/iptables -D OUTPUT 1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]